lpsetup

Merge lp:~bac/lpsetup/nested-lxc into lp:lpsetup

  1. nested-lxc
  2. Merge into trunk
Proposed by Brad Crittenden
Status: Merged
Approved by: Gary Poster
Approved revision: 66
Merged at revision: 63
Proposed branch: lp:~bac/lpsetup/nested-lxc
Merge into: lp:lpsetup
Diff against target: 142 lines (+100/-9)
3 files modified
README.rst (+36/-9)
lpsetup/templates/lxc-with-testing (+58/-0)
lpsetup/tests/integration/test_install_lxc.py (+6/-0)
To merge this branch: bzr merge lp:~bac/lpsetup/nested-lxc
Reviewer Review Type Date Requested Status
Gary Poster (community) Approve
Review via email: mp+116726@code.launchpad.net

Commit message

Make changes to allow nested LXCs for integration testing.

Description of the change

Make changes to allow nested LXCs for integration testing.

To post a comment you must log in.
Revision history for this message
Gary Poster (gary) wrote :

Yay!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'README.rst'
--- README.rst 2012-07-24 18:27:40 +0000
+++ README.rst 2012-07-25 18:52:21 +0000
@@ -86,15 +86,14 @@
8686
87There are two tests provided and each can run in either environment as87There are two tests provided and each can run in either environment as
88long as you specify using the '-e' command line option. The tests88long as you specify using the '-e' command line option. The tests
89are:89are in lpsetup/tests/integration.
9090
91lpsetup/tests/integration/non-lxc.py91The first, *test_init_host.py*, only tests the *init-host* command but
92lpsetup/tests/integration/juju-lxc.py92goes no further. The second, *test_install_lxc.py*, tests
9393*install-lxc*. If this test is run against a local LXC environment,
94The first only tests the *init-host* command but goes no further.94some changes need are first required to the host machine where the
95The second tests *install-lxc*. Due to bug 924281 (supposedly95test will be run. Follow the instruction in the next section before
96*fix-released* but still seen) this test cannot currently be run in an96launching the test.
97lxc container as it would require an lxc inside an lxc.
9897
99The tests bootstrap the environment for you and fail if it is already98The tests bootstrap the environment for you and fail if it is already
100running.99running.
@@ -106,6 +105,34 @@
106 StrictHostKeyChecking no105 StrictHostKeyChecking no
107 UserKnownHostsFile /dev/null106 UserKnownHostsFile /dev/null
108107
108Required changes for using nested LXC containers
109~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
110
111In order to get nested LXCs working in precise a few work-arounds are
112required, mostly relating to apparmor.
113
114The description of what needs to be done is at:
115http://www.stgraber.org/2012/05/04/lxc-in-ubuntu-12-04-lts/
116
117For the testing scenario, the host machine must be manually changed
118once[1] with the following modifications:
119sudo cp lpsetup/templates/lxc-with-testing /etc/apparmor.d/lxc
120sudo /etc/init.d/apparmor reload
121sudo cp /usr/lib/lxc/templates/lxc-ubuntu /usr/lib/lxc/templates/lxc-ubuntu.orig
122sudo sed -i "s/#lxc.aa_profile = unconfined/lxc.aa_profile = lxc-container-with-nesting/" \
123 /usr/lib/lxc/templates/lxc-ubuntu
124
125Should you want to disallow the apparmor change made to the default
126ubuntu template:
127sudo mv /usr/lib/lxc/templates/lxc-ubuntu.orig \
128 /usr/lib/lxc/templates/lxc-ubuntu
129
130The other changes mentioned are handled by the test in the container
131launched by Juju.
132
133[1] If the *lxc* package changes such that the *ubuntu* template is
134modified, then the last two steps to update the template will be
135required to be performed again.
109136
110Linting137Linting
111~~~~~~~138~~~~~~~
112139
=== added file 'lpsetup/templates/lxc-with-testing'
--- lpsetup/templates/lxc-with-testing 1970-01-01 00:00:00 +0000
+++ lpsetup/templates/lxc-with-testing 2012-07-25 18:52:21 +0000
@@ -0,0 +1,58 @@
1# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
2# will source all profiles under /etc/apparmor.d/lxc
3
4# {installation_header}
5
6profile lxc-container-with-nesting flags=(attach_disconnected,mediate_deleted) {
7 network,
8 capability,
9 file,
10 umount,
11
12 # addition for container nesting
13 mount -> /sys/fs/cgroup/**,
14 mount fstype=proc -> /var/cache/lxc/**,
15 mount fstype=sysfs -> /var/cache/lxc/**,
16 mount fstype=devpts -> /dev/pts/,
17 mount -> /usr/lib/lxc/root/,
18 mount -> /usr/lib/lxc/root/**,
19 mount /dev/pts/ptmx/ -> /dev/ptmx/,
20 pivot_root,
21 change_profile -> lxc-*,
22
23 # ignore DENIED message on / remount
24 deny mount options=(ro, remount) -> /,
25
26 # allow tmpfs mounts everywhere
27 mount fstype=tmpfs,
28
29 # allow mqueue mounts everywhere
30 mount fstype=mqueue,
31
32 # allow bind mount of /lib/init/fstab for lxcguest
33 mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
34
35 # deny writes in /proc/sys/fs but allow fusectl to be mounted
36 mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
37 deny @{PROC}/sys/fs/** wklx,
38
39 # block some other dangerous paths
40 deny @{PROC}/sysrq-trigger rwklx,
41 deny @{PROC}/mem rwklx,
42 deny @{PROC}/kmem rwklx,
43 deny @{PROC}/sys/kernel/** wklx,
44
45 # deny writes in /sys except for /sys/fs/cgroup, also allow
46 # fusectl, securityfs and debugfs to be mounted there (read-only)
47 mount fstype=fusectl -> /sys/fs/fuse/connections/,
48 mount fstype=securityfs -> /sys/kernel/security/,
49 mount fstype=debugfs -> /sys/kernel/debug/,
50 deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
51 mount fstype=proc -> /proc/,
52 mount fstype=sysfs -> /sys/,
53 deny /sys/[^f]*/** wklx,
54 deny /sys/f[^s]*/** wklx,
55 deny /sys/fs/[^c]*/** wklx,
56 deny /sys/fs/c[^g]*/** wklx,
57 deny /sys/fs/cg[^r]*/** wklx,
58}
059
=== modified file 'lpsetup/tests/integration/test_install_lxc.py'
--- lpsetup/tests/integration/test_install_lxc.py 2012-07-25 13:11:25 +0000
+++ lpsetup/tests/integration/test_install_lxc.py 2012-07-25 18:52:21 +0000
@@ -73,6 +73,12 @@
73 def set_up(self):73 def set_up(self):
74 super(InstallLXCTest, self).set_up()74 super(InstallLXCTest, self).set_up()
75 self.on_remote('cd lpsetup; sudo python setup.py install')75 self.on_remote('cd lpsetup; sudo python setup.py install')
76 # The installation of `lxc` is redundant as init-lxc does it but
77 # required to get the nested LXC work-around to work.
78 self.on_remote('sudo apt-get -y install lxc')
79 self.on_remote('sudo stop lxc')
80 self.on_remote('sudo sed -i "s/10.0.3/10.0.4/g" /etc/default/lxc')
81 self.on_remote('sudo start lxc')
7682
77 def do_test(self):83 def do_test(self):
78 """Run an end-to-end integration tests of the LXC lpsetup story."""84 """Run an end-to-end integration tests of the LXC lpsetup story."""

Subscribers

People subscribed via source and target branches